Featured Article from Cloud Security

As noted in previous postings on this year’s RSA Convention in San Francisco, it comes at what many are calling a watershed moment in the history of cybersecurity. In fact, one needs to look no further than the issues on encryption and decryption being contested in the battle between Apple and the FBI for validation. What makes RSA so interesting is that along with the myriad of new solutions being introduced and showcased, it is a place for the release of important information about industry trends on a broad range of fronts.

Indeed, given current concerns about when, where, how, why and what boundaries need to be set about the use of encryption, one of the most interesting reports that Cloud Security Resource Community members should put on their reading lists is Thales 2016 Global Encryption and Key Management Trends Study.

Based on independent research by the Ponemon Institute and sponsored by Thales and Vormetric Data Security, the study reveals the extent that the use of encryption is growing in response to cyber-attacks, privacy compliance regulations and consumer concerns about their personal information being compromised. It also shines a light on the momentum in enterprises of all sizes in moving sensitive data to the cloud within the next two years. This is a trend of vital importance. Understanding what it means in terms of the increase in attack surfaces and the critical area of encryption key management are things that must be addressed properly.

The global report, now in its 11th year, examines global encryption trends and regional differences in encryption usage. Data gathered is from surveys of over 5000 IT professionals in the U.S., U.K., Germany, France, Australia, Japan, Brazil, the Russian Federation, Mexico, India, and for the first time this year Saudi Arabia. And, while the overall finding that encryption is being used more and more in response to growing risks was to be expected, there were a few surprises in the survey responses.

Views and news you can use

A few of the report highlights are as follows:

•More than half of respondents (56 percent) are transferring sensitive or confidential data to the cloud and this will rise to a total of 84 percent in the next two years.

•Support for both cloud and on-premise deployment was rated the most important consideration when deploying encryption solutions.

•Employee and HR data is the most commonly encrypted data – higher even than payment data, intellectual property or financial records – indicating a higher sensitivity to protecting personal information.

•The number one perceived threat to data exposure is employee mistakes, followed by system or application malfunction rather than external attack or malicious insiders

While all of the findings are food for thought the last one about employee mistakes, as the chart below shows, really jumps out.

Source: 2016 Global Encryption Trends Study

The reasons are that it contradicts some of the other reports from various solutions providers, and it points to the need for all those involved in decision making about cybersecurity strategies and deployments to possibly rethink, especially with things moving to the cloud and being encrypted, where to invest their risk mitigation investments.

Peter Galvin, vice president strategy at Thales e-Security, commented that: “As businesses increasingly turn to cloud services, we’re seeing a rapid rise in sensitive or confidential data being transferred to the cloud and yet only a third of respondents had an overall, consistently applied encryption strategy. Encryption is now widely accepted as best-practice for protecting data, and a good encryption strategy depends on well-implemented encryption and proper key management. Thales hardware security modules (HSMs) have provided reliable high-assurance key management for decades, and this year’s study underscores their importance in securing a wide range of critical applications.”

Critical findings continue to demonstrate the adoption of encryption solutions to reduce risk, increase organizational security posture and meet data compliance regulations. Dr Larry Ponemon, chairman and founder of The Ponemon Institute, says: “Mega breaches and cyberattacks have increased companies’ urgency to improve their security posture, and encryption usage continues to be a clear indicator of a strong security posture. The findings of this year’s study demonstrate the importance of both encryption and key management across a wide range of core enterprise applications – from networking, databases and application level encryption to PKI, payments, public and private cloud computing and more.”

More encryption and proper key management, as noted at the top, are going to be hot topics of discussion at RSA. As the rash of data breaches this past year have under-scored, we live in an increasingly data-centric world and protection of that data, starting at its source, has become critical, e.g. encrypting it is now not a necessity but a necessity. However, who holds the keys and how they are managed is to say the least “concerning.”

Galvin and I spoke prior to the release of the report, and he had a few very salient additional observations. First, he noted that “It is surprising there is not more encryption, but the reasons are understandable. Historically, there was a lot of pain to deploying encryption tools that have now come to the fore. Things have gotten really hard to implement, especially as the places where encryption must take place and this is has been a lock of tools for creating a consistent key management environment. The good news is there are now solutions available that address these very complex and difficult challenges in a cost-effective way.”

Galvin explained that the challenges start with the fact that most large organizations have trouble knowing where their data is. “They know what they want to protect but can’t figure out where it lives. Thus, when it comes to securing the enterprise, this is like locking the door but leaving the window next to it open. It is all about visibility as well as control.” He added, “This ultimately speaks to need of more data-centric view of protecting data. Follow the data and not the system, and make sure those responsible for the keys are trusted and the keys themselves are properly managed.”

I stated at the top that the report could not be more timely based on what is the buzz at RSA. It also should be part of the buzz at your organization. As the case for adding encryption “E”verywhere grows, the complexities of managing an encrypted environment grow along with implementations, and minding the keys, including who had them and who is liable for their protection, becomes a priority of not just IT but also increasingly the lines of business.